Which solution should a solutions architect recommend to meet these requirements?
Use Amazon Cognito Identity with SMS-based MFA.
Edit IAM policies to require MFA for all users.
Federate IAM against the corporate Active Directory that requires MFA.
Use Amazon API Gateway and require server-side encryption (SSE) for photos.
Explanations:
Amazon Cognito Identity provides user authentication and can easily integrate multi-factor authentication (MFA) using SMS. It is a fully managed service that reduces the complexity and maintenance overhead of building a secure login system from scratch.
Editing IAM policies to require MFA applies to AWS console access and API calls but does not address user login directly for a mobile app. It does not provide a user-friendly way for customers to authenticate, nor does it handle user management effectively for mobile applications.
Federating IAM against corporate Active Directory may provide MFA options, but it typically requires a more complex setup and integration process. This solution may also not be suitable for a mobile app focused on customer use, which requires a simpler, user-friendly approach.
Using Amazon API Gateway with server-side encryption (SSE) for photos addresses data security during upload but does not provide any authentication or MFA mechanism. Thus, it fails to meet the requirement for secure login and user authentication.